authgear · tung2744 · Feb 27, 2025 · Feb 27, 2025 · Feb 27, 2025 · Feb 28, 2025
diff --git a/pkg/lib/config/secret_data.go b/pkg/lib/config/secret_data.go
@@ -258,28 +258,65 @@ var _ = SecretConfigSchema.Add("TwilioCredentials", `
 	"type": "object",
 	"additionalProperties": false,
 	"properties": {
+		"credential_type": {
+			"type": "string",
+			"enum": ["api_key", "auth_token"]
+		},
 		"account_sid": { "type": "string" },
 		"auth_token": { "type": "string" },
+		"api_key_sid": { "type": "string" },
+		"api_key_secret": { "type": "string" },
 		"message_service_sid": { "type": "string" }
 	},
-	"required": ["account_sid", "auth_token"]
+	"required": ["account_sid"],
+	"allOf": [
+		{
+			"if": {
+				"properties": { "credential_type": { "const": "api_key" } },
+				"required": ["credential_type"]
+			},
+			"then": { "required": ["api_key_sid", "api_key_secret"] },
+			"else": { "required": ["auth_token"] }
+		}
+	]
 }
 `)
 
+type TwilioCredentialType string
+
+const (
+	TwilioCredentialTypeAPIKey    TwilioCredentialType = "api_key"
+	TwilioCredentialTypeAuthToken TwilioCredentialType = "auth_token"
+)
+
 type TwilioCredentials struct {
-	AccountSID          string `json:"account_sid,omitempty"`
-	AuthToken           string `json:"auth_token,omitempty"`
-	MessagingServiceSID string `json:"message_service_sid,omitempty"`
+	// For write only, always use GetCredentialType to read the value
+	CredentialType      *TwilioCredentialType `json:"credential_type,omitempty"`
+	AccountSID          string                `json:"account_sid,omitempty"`
+	AuthToken           string                `json:"auth_token,omitempty"`
+	APIKeySID           string                `json:"api_key_sid,omitempty"`
+	APIKeySecret        string                `json:"api_key_secret,omitempty"`
+	MessagingServiceSID string                `json:"message_service_sid,omitempty"`
 }
 
 func (c *TwilioCredentials) SensitiveStrings() []string {
 	return []string{
 		c.AccountSID,
 		c.AuthToken,
+		c.APIKeySID,
+		c.APIKeySecret,
 		c.MessagingServiceSID,
 	}
 }
 
+func (c *TwilioCredentials) GetCredentialType() TwilioCredentialType {
+	if c.CredentialType == nil {
+		// Old data does not specify credential_type. Treat it as auth_token.
+		return TwilioCredentialTypeAuthToken
+	}
+	return *c.CredentialType
+}
+
 var _ = SecretConfigSchema.Add("NexmoCredentials", `
 {
 	"type": "object",

diff --git a/pkg/lib/config/secret_update_instruction.go b/pkg/lib/config/secret_update_instruction.go
@@ -780,9 +780,12 @@ type SMSProviderSecretsUpdateInstructionSetData struct {
 }
 
 type SMSProviderSecretsUpdateInstructionTwilioCredentials struct {
-	AccountSID          string `json:"accountSID,omitempty"`
-	AuthToken           string `json:"authToken,omitempty"`
-	MessagingServiceSID string `json:"messagingServiceSID,omitempty"`
+	CredentialType      TwilioCredentialType `json:"credentialType,omitempty"`
+	AccountSID          string               `json:"accountSID,omitempty"`
+	AuthToken           string               `json:"authToken,omitempty"`
+	APIKeySID           string               `json:"apiKeySID,omitempty"`
+	APIKeySecret        string               `json:"apiKeySecret,omitempty"`
+	MessagingServiceSID string               `json:"messagingServiceSID,omitempty"`
 }
 
 type SMSProviderSecretsUpdateInstructionCustomSMSProvider struct {
@@ -849,8 +852,11 @@ func (i *SMSProviderSecretsUpdateInstruction) set(currentConfig *SecretConfig) (
 
 	if i.SetData.TwilioCredentials != nil {
 		twilioCredentials := TwilioCredentials{
+			CredentialType:      &i.SetData.TwilioCredentials.CredentialType,
 			AccountSID:          i.SetData.TwilioCredentials.AccountSID,
 			AuthToken:           i.SetData.TwilioCredentials.AuthToken,
+			APIKeySID:           i.SetData.TwilioCredentials.APIKeySID,
+			APIKeySecret:        i.SetData.TwilioCredentials.APIKeySecret,
 			MessagingServiceSID: i.SetData.TwilioCredentials.MessagingServiceSID,
 		}
 		err := upsert(TwilioCredentialsKey, twilioCredentials)

diff --git a/pkg/lib/config/testdata/parse_secret_tests.yaml b/pkg/lib/config/testdata/parse_secret_tests.yaml
@@ -335,3 +335,36 @@ config:
           certificates:
             - pem: "-----BEGIN CERTIFICATE-----\nMIIDejCCAmKgAwIBAgIgLKKTB6GZMFHZVUiFIq8LcNIr0p8HFHwKM6r5/BQ/un4w\nDQYJKoZIhvcNAQEFBQAwUDEJMAcGA1UEBhMAMQkwBwYDVQQKDAAxCTAHBgNVBAsM\nADENMAsGA1UEAwwEdGVzdDEPMA0GCSqGSIb3DQEJARYAMQ0wCwYDVQQDDAR0ZXN0\nMB4XDTI0MDgwODA2NTY0OFoXDTM0MDgwOTA2NTY0OFowQTEJMAcGA1UEBhMAMQkw\nBwYDVQQKDAAxCTAHBgNVBAsMADENMAsGA1UEAwwEdGVzdDEPMA0GCSqGSIb3DQEJ\nARYAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5zRfTtkaa7cIsQS+\nF1Dg25wPEvcjHsHcq598n+RzRJzfSLRtYwgEfs0VhyjHfo2O7KhNFh5cqdkEfzwA\nbfxtgVLvy3yUjTMFO0FnJqrO3dkGiOAl654XUlXb4rF8DF1sPnUdd9QEZaZHGV/8\nYuVOc3RV15jsr2jB9rra9//guAQ0CSP4XLJ5m9vf9nJILAHLryFIzDSgOVmhi4Ig\no59e9n3Hemavrta2C5Zj4cP6RNwuCV/i5lQOkzJIgksH9/EZCsR93DMEgkBS5oQQ\nrt9Bzlr03TNGW4n/CYKNULK/osqJd5r5g3zUaQZY2KAan+oSsEXvBjzYtrehN1dm\ndfbUEQIDAQABo08wTTAdBgNVHQ4EFgQUiXG6MG9PSB/clTIuzm8rW+8xLWkwHwYD\nVR0jBBgwFoAUiXG6MG9PSB/clTIuzm8rW+8xLWkwCwYDVR0RBAQwAoIAMA0GCSqG\nSIb3DQEBBQUAA4IBAQBTjdS9po3eEXukksMK6xBL3kQF1MEFUaWcgoN+h497lS9J\nXe1rmWpdZ1Aehp21GQmniRKU8uPLPRQKoX8Mhc/d3fHyv9u0YPns/2Wm8TBzxwHY\nV2KdXZfpBdN+Z5bBRbgtKxx1z2GBfB39S2WCakS9xK8f7fuQPLIZz8eq7so5T8Hm\nTU95acndEpnA0u6/MjbvXtZesTRZCewQw4CkcSLTCzB8dLG55UXHytnISWlCpuAx\n8svq/ryZIi5vhBQFO/hG9s2Q32VvfKt2ZW8qA+gvOxEVDfAEFekKokP0Taiz77Q2\nAVZxEXeABxJGtiMunQTr2q1tCrJQN0d08xlA5jXl\n-----END CERTIFICATE-----\n"
             - pem: "-----BEGIN CERTIFICATE-----\nMIIDejCCAmKgAwIBAgIgLKKTB6GZMFHZVUiFIq8LcNIr0p8HFHwKM6r5/BQ/un4w\nDQYJKoZIhvcNAQEFBQAwUDEJMAcGA1UEBhMAMQkwBwYDVQQKDAAxCTAHBgNVBAsM\nADENMAsGA1UEAwwEdGVzdDEPMA0GCSqGSIb3DQEJARYAMQ0wCwYDVQQDDAR0ZXN0\nMB4XDTI0MDgwODA2NTY0OFoXDTM0MDgwOTA2NTY0OFowQTEJMAcGA1UEBhMAMQkw\nBwYDVQQKDAAxCTAHBgNVBAsMADENMAsGA1UEAwwEdGVzdDEPMA0GCSqGSIb3DQEJ\nARYAMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5zRfTtkaa7cIsQS+\nF1Dg25wPEvcjHsHcq598n+RzRJzfSLRtYwgEfs0VhyjHfo2O7KhNFh5cqdkEfzwA\nbfxtgVLvy3yUjTMFO0FnJqrO3dkGiOAl654XUlXb4rF8DF1sPnUdd9QEZaZHGV/8\nYuVOc3RV15jsr2jB9rra9//guAQ0CSP4XLJ5m9vf9nJILAHLryFIzDSgOVmhi4Ig\no59e9n3Hemavrta2C5Zj4cP6RNwuCV/i5lQOkzJIgksH9/EZCsR93DMEgkBS5oQQ\nrt9Bzlr03TNGW4n/CYKNULK/osqJd5r5g3zUaQZY2KAan+oSsEXvBjzYtrehN1dm\ndfbUEQIDAQABo08wTTAdBgNVHQ4EFgQUiXG6MG9PSB/clTIuzm8rW+8xLWkwHwYD\nVR0jBBgwFoAUiXG6MG9PSB/clTIuzm8rW+8xLWkwCwYDVR0RBAQwAoIAMA0GCSqG\nSIb3DQEBBQUAA4IBAQBTjdS9po3eEXukksMK6xBL3kQF1MEFUaWcgoN+h497lS9J\nXe1rmWpdZ1Aehp21GQmniRKU8uPLPRQKoX8Mhc/d3fHyv9u0YPns/2Wm8TBzxwHY\nV2KdXZfpBdN+Z5bBRbgtKxx1z2GBfB39S2WCakS9xK8f7fuQPLIZz8eq7so5T8Hm\nTU95acndEpnA0u6/MjbvXtZesTRZCewQw4CkcSLTCzB8dLG55UXHytnISWlCpuAx\n8svq/ryZIi5vhBQFO/hG9s2Q32VvfKt2ZW8qA+gvOxEVDfAEFekKokP0Taiz77Q2\nAVZxEXeABxJGtiMunQTr2q1tCrJQN0d08xlA5jXl\n-----END CERTIFICATE-----\n"
+---
+name: sms-twilio-auth-token/valid-without-type
+error: null
+config:
+  secrets:
+    - data:
+        account_sid: abc
+        auth_token: abc
+        message_service_sid: abcd
+      key: sms.twilio
+---
+name: sms-twilio-auth-token/valid
+error: null
+config:
+  secrets:
+    - data:
+        credential_type: auth_token
+        account_sid: abc
+        auth_token: abc
+        message_service_sid: abcd
+      key: sms.twilio
+---
+name: sms-twilio-api-key/valid
+error: null
+config:
+  secrets:
+    - data:
+        credential_type: api_key
+        account_sid: abc
+        api_key_sid: abc
+        api_key_secret: abcd
+        message_service_sid: abcd
+      key: sms.twilio
diff --git a/pkg/lib/infra/sms/client_resolver.go b/pkg/lib/infra/sms/client_resolver.go
@@ -12,8 +12,11 @@ import (
 )
 
 type TwilioClientCredentials struct {
+	CredentialType      *config.TwilioCredentialType
 	AccountSID          string
 	AuthToken           string
+	APIKeySID           string
+	APIKeySecret        string
 	MessagingServiceSID string
 }
 
@@ -198,9 +201,13 @@ func (r *ClientResolver) clientsFromAuthgearSecretsYAML() (*nexmo.NexmoClient, *
 	}
 
 	if r.AuthgearSecretsYAMLTwilioCredentials != nil {
+		credtyp := r.AuthgearSecretsYAMLTwilioCredentials.GetCredentialType()
 		twilioClientCredentials = &TwilioClientCredentials{
+			CredentialType:      &credtyp,
 			AccountSID:          r.AuthgearSecretsYAMLTwilioCredentials.AccountSID,
 			AuthToken:           r.AuthgearSecretsYAMLTwilioCredentials.AuthToken,
+			APIKeySID:           r.AuthgearSecretsYAMLTwilioCredentials.APIKeySID,
+			APIKeySecret:        r.AuthgearSecretsYAMLTwilioCredentials.APIKeySecret,
 			MessagingServiceSID: r.AuthgearSecretsYAMLTwilioCredentials.MessagingServiceSID,
 		}
 	}
@@ -229,9 +236,13 @@ func (r *ClientResolver) clientsFromEnv() (*nexmo.NexmoClient, *NexmoClientCrede
 	}
 
 	if r.EnvironmentTwilioCredentials != (config.SMSGatewayEnvironmentTwilioCredentials{}) {
+		credtyp := config.TwilioCredentialTypeAuthToken
 		twilioClientCredentials = &TwilioClientCredentials{
+			CredentialType:      &credtyp,
 			AccountSID:          r.EnvironmentTwilioCredentials.AccountSID,
 			AuthToken:           r.EnvironmentTwilioCredentials.AuthToken,
+			APIKeySID:           "",
+			APIKeySecret:        "",
 			MessagingServiceSID: r.EnvironmentTwilioCredentials.MessagingServiceSID,
 		}
 	}

diff --git a/pkg/lib/infra/sms/twilio/client.go b/pkg/lib/infra/sms/twilio/client.go
@@ -57,10 +57,14 @@ func (t *TwilioClient) send0(ctx context.Context, opts smsapi.SendOptions) ([]by
 	req, _ := http.NewRequestWithContext(ctx, "POST", u.String(), strings.NewReader(requestBody))
 
 	// https://www.twilio.com/docs/usage/api#authenticate-with-http
-	if t.TwilioCredentials.AuthToken != "" {
+	switch t.TwilioCredentials.GetCredentialType() {
+	case config.TwilioCredentialTypeAuthToken:
 		// When Auth Token is used, username is Account SID, and password is Auth Token.
 		req.SetBasicAuth(t.TwilioCredentials.AccountSID, t.TwilioCredentials.AuthToken)
-	} else {
+	case config.TwilioCredentialTypeAPIKey:
+		// When API Key is used, username is API Key SID, and password is API Key Secret.
+		req.SetBasicAuth(t.TwilioCredentials.APIKeySID, t.TwilioCredentials.APIKeySecret)
+	default:
 		// Normally we should not reach here.
 		// But in case we do, we do not provide the auth header.
 		// And Twilio should returns an error response to us in this case.

diff --git a/pkg/portal/graphql/app.go b/pkg/portal/graphql/app.go
@@ -172,16 +172,37 @@ var samlSpSigningSecret = graphql.NewObject(graphql.ObjectConfig{
 	},
 })
 
+var twilioCredentialType = graphql.NewEnum(graphql.EnumConfig{
+	Name: "TwilioCredentialType",
+	Values: graphql.EnumValueConfigMap{
+		string(config.TwilioCredentialTypeAPIKey): &graphql.EnumValueConfig{
+			Value: config.TwilioCredentialTypeAPIKey,
+		},
+		string(config.TwilioCredentialTypeAuthToken): &graphql.EnumValueConfig{
+			Value: config.TwilioCredentialTypeAuthToken,
+		},
+	},
+})
+
 var smsProviderTwilioCredentials = graphql.NewObject(graphql.ObjectConfig{
 	Name:        "SMSProviderTwilioCredentials",
 	Description: "Twilio credentials",
 	Fields: graphql.Fields{
+		"credentialType": &graphql.Field{
+			Type: graphql.NewNonNull(twilioCredentialType),
+		},
 		"accountSID": &graphql.Field{
 			Type: graphql.NewNonNull(graphql.String),
 		},
 		"authToken": &graphql.Field{
 			Type: graphql.String,
 		},
+		"apiKeySID": &graphql.Field{
+			Type: graphql.NewNonNull(graphql.String),
+		},
+		"apiKeySecret": &graphql.Field{
+			Type: graphql.String,
+		},
 		"messagingServiceSID": &graphql.Field{
 			Type: graphql.NewNonNull(graphql.String),
 		},

diff --git a/pkg/portal/graphql/app_mutation.go b/pkg/portal/graphql/app_mutation.go
@@ -149,12 +149,21 @@ var smsProviderSecretsSetDataInput = graphql.NewInputObject(graphql.InputObjectC
 var smsProviderTwilioCredentialsInput = graphql.NewInputObject(graphql.InputObjectConfig{
 	Name: "SMSProviderTwilioCredentialsInput",
 	Fields: graphql.InputObjectConfigFieldMap{
+		"credentialType": &graphql.InputObjectFieldConfig{
+			Type: graphql.NewNonNull(twilioCredentialType),
+		},
 		"accountSID": &graphql.InputObjectFieldConfig{
 			Type: graphql.NewNonNull(graphql.String),
 		},
 		"authToken": &graphql.InputObjectFieldConfig{
 			Type: graphql.String,
 		},
+		"apiKeySID": &graphql.InputObjectFieldConfig{
+			Type: graphql.NewNonNull(graphql.String),
+		},
+		"apiKeySecret": &graphql.InputObjectFieldConfig{
+			Type: graphql.String,
+		},
 		"messagingServiceSID": &graphql.InputObjectFieldConfig{
 			Type: graphql.NewNonNull(graphql.String),
 		},

diff --git a/pkg/portal/graphql/sms_mutation.go b/pkg/portal/graphql/sms_mutation.go
@@ -52,12 +52,21 @@ var smsProviderConfigurationInput = graphql.NewInputObject(graphql.InputObjectCo
 var smsProviderConfigurationTwilioInput = graphql.NewInputObject(graphql.InputObjectConfig{
 	Name: "SMSProviderConfigurationTwilioInput",
 	Fields: graphql.InputObjectConfigFieldMap{
+		"credentialType": &graphql.InputObjectFieldConfig{
+			Type: graphql.NewNonNull(twilioCredentialType),
+		},
 		"accountSID": &graphql.InputObjectFieldConfig{
 			Type: graphql.NewNonNull(graphql.String),
 		},
 		"authToken": &graphql.InputObjectFieldConfig{
 			Type: graphql.NewNonNull(graphql.String),
 		},
+		"apiKeySID": &graphql.InputObjectFieldConfig{
+			Type: graphql.NewNonNull(graphql.String),
+		},
+		"apiKeySecret": &graphql.InputObjectFieldConfig{
+			Type: graphql.NewNonNull(graphql.String),
+		},
 		"messagingServiceSID": &graphql.InputObjectFieldConfig{
 			Type: graphql.String,
 		},

diff --git a/pkg/portal/model/app.go b/pkg/portal/model/app.go
@@ -85,9 +85,12 @@ type SAMLSpSigningSecrets struct {
 }
 
 type SMSProviderTwilioCredentials struct {
-	AccountSID          string  `json:"accountSID,omitempty"`
-	AuthToken           *string `json:"authToken,omitempty"`
-	MessagingServiceSID string  `json:"messagingServiceSID,omitempty"`
+	CredentialType      config.TwilioCredentialType `json:"credentialType,omitempty"`
+	AccountSID          string                      `json:"accountSID,omitempty"`
+	AuthToken           *string                     `json:"authToken,omitempty"`
+	APIKeySID           string                      `json:"apiKeySID,omitempty"`
+	APIKeySecret        *string                     `json:"apiKeySecret,omitempty"`
+	MessagingServiceSID string                      `json:"messagingServiceSID,omitempty"`
 }
 
 type SMSProviderCustomSMSProviderConfigs struct {
@@ -268,11 +271,14 @@ func NewSecretConfig(secretConfig *config.SecretConfig, unmaskedSecrets []config
 	smsProviderSecrets := &SMSProviderSecrets{}
 	if twilioCredentials, ok := secretConfig.LookupData(config.TwilioCredentialsKey).(*config.TwilioCredentials); ok {
 		smsProviderSecrets.TwilioCredentials = &SMSProviderTwilioCredentials{
+			CredentialType:      twilioCredentials.GetCredentialType(),
 			AccountSID:          twilioCredentials.AccountSID,
+			APIKeySID:           twilioCredentials.APIKeySID,
 			MessagingServiceSID: twilioCredentials.MessagingServiceSID,
 		}
 		if _, exist := unmaskedSecretsSet[config.TwilioCredentialsKey]; exist {
 			smsProviderSecrets.TwilioCredentials.AuthToken = &twilioCredentials.AuthToken
+			smsProviderSecrets.TwilioCredentials.APIKeySecret = &twilioCredentials.APIKeySecret
 		}
 
 	}

diff --git a/pkg/portal/model/sms.go b/pkg/portal/model/sms.go
@@ -1,15 +1,20 @@
 package model
 
+import "github.com/authgear/authgear-server/pkg/lib/config"
+
 type SMSProviderConfigurationInput struct {
 	Twilio  *SMSProviderConfigurationTwilioInput  `json:"twilio,omitempty"`
 	Webhook *SMSProviderConfigurationWebhookInput `json:"webhook,omitempty"`
 	Deno    *SMSProviderConfigurationDenoInput    `json:"deno,omitempty"`
 }
 
 type SMSProviderConfigurationTwilioInput struct {
-	AccountSID          string  `json:"accountSID,omitempty"`
-	AuthToken           string  `json:"authToken,omitempty"`
-	MessagingServiceSID *string `json:"messagingServiceSID,omitempty"`
+	CredentialType      config.TwilioCredentialType `json:"credentialType,omitempty"`
+	AccountSID          string                      `json:"accountSID,omitempty"`
+	AuthToken           string                      `json:"authToken,omitempty"`
+	APIKeySID           string                      `json:"apiKeySID,omitempty"`
+	APIKeySecret        string                      `json:"apiKeySecret,omitempty"`
+	MessagingServiceSID *string                     `json:"messagingServiceSID,omitempty"`
 }
 
 type SMSProviderConfigurationWebhookInput struct {

diff --git a/pkg/portal/sms/service.go b/pkg/portal/sms/service.go
@@ -39,8 +39,11 @@ func (s *Service) sendByTwilio(
 		messagingServiceSID = *cfg.MessagingServiceSID
 	}
 	twilioClient := twilio.NewTwilioClient(&config.TwilioCredentials{
+		CredentialType:      &cfg.CredentialType,
 		AccountSID:          cfg.AccountSID,
 		AuthToken:           cfg.AuthToken,
+		APIKeySID:           cfg.APIKeySID,
+		APIKeySecret:        cfg.APIKeySecret,
 		MessagingServiceSID: messagingServiceSID,
 	})
 

diff --git a/portal/src/graphql/portal/SMSProviderConfigurationScreen.module.css b/portal/src/graphql/portal/SMSProviderConfigurationScreen.module.css
@@ -13,3 +13,7 @@
 .providerGrid {
   @apply grid gap-4 grid-cols-2;
 }
+
+.textFieldInOption {
+  @apply ml-6 my-1;
+}